Gradient Inversion with Generative Image Prior
This work highlights a critical vulnerability in Federated Learning systems, posing a privacy risk for users, and is incremental as it builds on existing gradient inversion methods by incorporating generative priors.
The authors tackled the problem of data privacy in Federated Learning by showing that gradients can be inverted to reveal sensitive client data using a generative model as prior knowledge, and they demonstrated that such a prior can be learned from gradients during training, with experimental results indicating successful privacy breaches.
Federated Learning (FL) is a distributed learning framework, in which the local data never leaves clients devices to preserve privacy, and the server trains models on the data via accessing only the gradients of those local data. Without further privacy mechanisms such as differential privacy, this leaves the system vulnerable against an attacker who inverts those gradients to reveal clients sensitive data. However, a gradient is often insufficient to reconstruct the user data without any prior knowledge. By exploiting a generative model pretrained on the data distribution, we demonstrate that data privacy can be easily breached. Further, when such prior knowledge is unavailable, we investigate the possibility of learning the prior from a sequence of gradients seen in the process of FL training. We experimentally show that the prior in a form of generative model is learnable from iterative interactions in FL. Our findings strongly suggest that additional mechanisms are necessary to prevent privacy leakage in FL.